# yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json
---
# renovate: datasource=docker depName=ghcr.io/siderolabs/installer
talosVersion: v1.7.5
# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
kubernetesVersion: v1.30.2

clusterName: "#{ bootstrap_cluster_name | default('home-kubernetes', true) }#"
endpoint: https://#{ bootstrap_controller_vip }#:6443
clusterPodNets:
  - "#{ bootstrap_pod_network.split(',')[0] }#"
clusterSvcNets:
  - "#{ bootstrap_service_network.split(',')[0] }#"
additionalApiServerCertSans: &sans
  - "#{ bootstrap_controller_vip }#"
  - 127.0.0.1 # KubePrism
  #% for item in bootstrap_tls_sans %#
  - "#{ item }#"
  #% endfor %#
additionalMachineCertSans: *sans

# Disable built-in Flannel to use Cilium
cniConfig:
  name: none

nodes:
  #% for item in bootstrap_node_inventory %#
  - hostname: "#{ item.name }#"
    ipAddress: "#{ item.address }#"
    #% if item.disk.startswith('/') %#
    installDisk: "#{ item.disk }#"
    #% else %#
    installDiskSelector:
      serial: "#{ item.disk }#"
    #% endif %#
    #% if bootstrap_secureboot.enabled %#
    machineSpec:
      secureboot: true
    talosImageURL: factory.talos.dev/installer-secureboot/#{ item.schematic_id | default(bootstrap_schematic_id) }#
    #% else %#
    talosImageURL: factory.talos.dev/installer/#{ item.schematic_id | default(bootstrap_schematic_id) }#
    #% endif %#
    controlPlane: #{ (item.controller) | string | lower }#
    networkInterfaces:
      - deviceSelector:
          hardwareAddr: "#{ item.mac_addr | lower }#"
        #% if bootstrap_vlan %#
        vlans:
          - vlanId: #{ bootstrap_vlan }#
            addresses:
              - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#"
            mtu: #{ item.mtu | default(1500) }#
            routes:
              - network: 0.0.0.0/0
                #% if bootstrap_node_default_gateway %#
                gateway: "#{ bootstrap_node_default_gateway }#"
                #% else %#
                gateway: "#{ bootstrap_node_network | nthhost(1) }#"
                #% endif %#
            #% if item.controller %#
            vip:
              ip: "#{ bootstrap_controller_vip }#"
            #% endif %#
        #% else %#
        #% if item.address %#
        dhcp: false
        addresses:
          - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#"
        routes:
          - network: 0.0.0.0/0
            #% if bootstrap_node_default_gateway %#
            gateway: "#{ bootstrap_node_default_gateway }#"
            #% else %#
            gateway: "#{ bootstrap_node_network | nthhost(1) }#"
            #% endif %#
        #% else %#
        dhcp: true
        #% endif %#
        mtu: #{ item.mtu | default(1500) }#
        #% if item.controller %#
        vip:
          ip: "#{ bootstrap_controller_vip }#"
        #% endif %#
        #% endif %#
    #% if item.manifests %#
    extraManifests:
      #% for manifest in item.manifests %#
      - #{ manifest }#
      #% endfor %#
    #% endif %#
    #% if item.extension_services %#
    extensionServices:
      #% for es in item.extension_services %#
      - name: #{ es.name }#
        configFiles:
        #% for cf in es.configFiles %#
          - content: |-
              #{ cf.content | indent(14, yes) }#
            mountPath: #{ cf.mountPath }#
        #% endfor %#
        #% if es.environment %#
        environment:
          #% for env in es.environment %#
          - #{ env }#
          #% endfor %#
        #% endif %#
      #% endfor %#
    #% endif %#
    #% for file in talos_patches('%s' % (item.name)) %#
    #% if loop.index == 1 %#
    patches:
    #% endif %#
      - "@./patches/#{ item.name }#/#{ file | basename }#"
    #% endfor %#
  #% endfor %#

# Global patches
patches:
  #% if bootstrap_dns_servers | length %#
  - # Force nameserver
    |-
    machine:
      network:
        nameservers:
          #% for item in bootstrap_dns_servers %#
          - #{ item }#
          #% endfor %#
  #% endif %#
  #% if bootstrap_ntp_servers | length %#
  - # Configure NTP
    |-
    machine:
      time:
        disabled: false
        servers:
          #% for item in bootstrap_ntp_servers %#
          - #{ item }#
          #% endfor %#
  #% endif %#
  #% if bootstrap_secureboot.enabled and bootstrap_secureboot.encrypt_disk_with_tpm %#
  - # Encrypt system disk with TPM
    |-
    machine:
      systemDiskEncryption:
        ephemeral:
          provider: luks2
          keys:
            - slot: 0
              tpm: {}
        state:
          provider: luks2
          keys:
            - slot: 0
              tpm: {}
  #% endif %#
  #% for file in talos_patches('global') %#
  - "@./patches/global/#{ file | basename }#"
  #% endfor %#

#% for file in talos_patches('controller') %#
#% if loop.index == 1 %#
# Controller patches
controlPlane:
  patches:
#% endif %#
    - "@./patches/controller/#{ file | basename }#"
#% endfor %#

#% if (bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length) and (talos_patches('worker') | length) %#
#% for file in talos_patches('worker') %#
#% if loop.index == 1 %#
# Worker patches
worker:
  patches:
#% endif %#
    - "@./patches/worker/#{ file | basename }#"
#% endfor %#
#% endif %#
